deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-13 05:47:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge pull request #8730 from jsuther1974/WDAC-Docs

Browse Source 
Removed claim that user writeable check on filepath rules is done recursively for parent directories
This commit is contained in:
Stephanie Savell 2023-08-14 13:02:50 -05:00 committed by GitHub
commit 9171922a70
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
windows/security/application-security/application-control/windows-defender-application-control/design/select-types-of-rules-to-create.md
View File

@ -2,7 +2,7 @@
title: Understand Windows Defender Application Control (WDAC) policy rules and file rules title: Understand Windows Defender Application Control (WDAC) policy rules and file rules
description: Learn how WDAC policy rules and file rules can control your Windows 10 and Windows 11 computers. description: Learn how WDAC policy rules and file rules can control your Windows 10 and Windows 11 computers.
ms.localizationpriority: medium ms.localizationpriority: medium
ms.date: 06/07/2023 ms.date: 08/11/2023
ms.topic: article ms.topic: article
--- ---
@ -127,7 +127,7 @@ Filepath rules don't provide the same security guarantees that explicit signer r
### User-writable filepaths ### User-writable filepaths
By default, WDAC performs a user-writeability check at runtime that ensures that the current permissions on the specified filepath and its parent directories (recursively) don't allow standard users write access. By default, WDAC performs a user-writeability check at runtime that ensures that the current permissions on the specified filepath only allow write access for admin users.
There's a defined list of SIDs that WDAC recognizes as admins. If a filepath allows write permissions for any SID not in this list, the filepath is considered to be user-writeable, even if the SID is associated to a custom admin user. To handle these special cases, you can override WDAC's runtime admin-writeable check with the **Disabled:Runtime FilePath Rule Protection** option described earlier. There's a defined list of SIDs that WDAC recognizes as admins. If a filepath allows write permissions for any SID not in this list, the filepath is considered to be user-writeable, even if the SID is associated to a custom admin user. To handle these special cases, you can override WDAC's runtime admin-writeable check with the **Disabled:Runtime FilePath Rule Protection** option described earlier.